Fortinet black logo

EMS Administration Guide

Quarantining an endpoint from FortiOS using EMS

Quarantining an endpoint from FortiOS using EMS

The Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric includes the following network devices, you can configure the system to automatically quarantine an endpoint on which an Indicator of Compromise (IoC) is detected. This requires the following network components:

  • FortiGate
  • FortiAnalyzer
  • FortiClient EMS
  • FortiClient

You must connect FortiClient to both the EMS and FortiGate. The FortiGate and FortiClient must both be sending logs to the FortiAnalyzer. You must configure the EMS IP address on the FortiGate, as well as administrator login credentials.

This configuration functions as follows:

  1. FortiClient sends logs to the FortiAnalyzer.
  2. FortiAnalyzer discovers IoCs in the logs and notifies the FortiGate.
  3. FortiGate determines if the FortiClient is among its connected endpoints and if it has the login credentials for the EMS that the FortiClient is connected to. With this information, FortiGate sends a notification to EMS to quarantine the endpoint.
  4. EMS searches for the endpoint and sends a quarantine message to it.
  5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint notifies the FortiGate and EMS of the status change.
Note

FortiClient (Linux) does not support this feature.

Prerequisites

The following lists the prerequisites that must be met for FortiClient, EMS, and the FortiGate.

FortiClient

FortiClient must be installed on the endpoint and connected to EMS as part of a Security Fabric.

EMS
  1. You must create a profile for the endpoint. See Creating a profile to configure FortiClient.
  2. You must create and configure an endpoint policy that is configured with the desired profile and Telemetry gateway list for the desired endpoint group. See Adding an endpoint policy.
  3. Enable Remote HTTPS access. See Configuring EMS settings.
FortiGate

Before automation can be triggered, you must configure the following:

  1. Configure an automation trigger.
  2. Configure an automation object.
  3. Configure an automation stitch.
  4. Configure EMS endpoint control.
To create an automation trigger, enter the following commands in the CLI:

config system automation-trigger

edit "trigger01"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

To create an automation action, enter the following commands in the CLI:

config system automation-action

edit "action01"

set action-type quarantine-forticlient

set minimum-interval 0

next

end

To create an automation stitch, enter the following commands in the CLI:

config system automation-stitch

edit "stitch01"

set status enable

set trigger "trigger01"

set action "action01"

next

end

To create an EMS firewall address object, enter the following commands in the CLI:

This step is only necessary when using a version of FortiOS prior to 6.2.0.

config firewall address

edit "EMS01"

set type ipmask

set subnet <EMS_IP_address> 255.255.255.255

next

end

To configure EMS endpoint control:

There are separate instructions when using FortiOS 6.2.0 or a later version, and a version of FortiOS earlier than 6.2.0.

If using FortiOS 6.2.0 or a later version, do the following:

  1. Go to Security Fabric > Settings.
  2. Enable FortiClient Endpoint Management System (EMS).
  3. In the Name field, enter the desired EMS name.
  4. In the IP/Domain Name field, enter the EMS IP address or FQDN.
  5. In the Serial Number field, enter the EMS serial number. You can find this in the System Information widget on the EMS dashboard.
  6. In the Admin User field, enter the EMS admin username.
  7. In the Password field, enter the admin user's password.
  8. Click Apply.

If using a FortiOS version earlier than 6.2.0, enter the following commands in the CLI. In the following commands, <EMS_SERIAL_NUMBER> is the EMS serial number, <EMS_ADMIN> is the EMS administrator name, and <PASSWORD> is the EMS administrator's password:

config endpoint-control forticlient-ems

edit "e01"

set address "EMS01"

set serial-number <EMS_SERIAL_NUMBER>

set rest-api-auth userpass

set https-port 443

set admin-username <EMS_ADMIN>

set admin-password <PASSWORD>

set admin-type Windows

next

end

Executing automation

Once prerequisites are met, you can trigger the automation process. The following procedure triggers the quarantine action on the endpoint at <endpoint_ip_address>:

diag endpoint forticlient-ems-rest-api queue-quarantine-ipv4 <endpoint_ip_address>

After this action, EMS and FortiOS both display that the endpoint is quarantined.

Quarantining an endpoint from FortiOS using EMS

The Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric includes the following network devices, you can configure the system to automatically quarantine an endpoint on which an Indicator of Compromise (IoC) is detected. This requires the following network components:

  • FortiGate
  • FortiAnalyzer
  • FortiClient EMS
  • FortiClient

You must connect FortiClient to both the EMS and FortiGate. The FortiGate and FortiClient must both be sending logs to the FortiAnalyzer. You must configure the EMS IP address on the FortiGate, as well as administrator login credentials.

This configuration functions as follows:

  1. FortiClient sends logs to the FortiAnalyzer.
  2. FortiAnalyzer discovers IoCs in the logs and notifies the FortiGate.
  3. FortiGate determines if the FortiClient is among its connected endpoints and if it has the login credentials for the EMS that the FortiClient is connected to. With this information, FortiGate sends a notification to EMS to quarantine the endpoint.
  4. EMS searches for the endpoint and sends a quarantine message to it.
  5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint notifies the FortiGate and EMS of the status change.
Note

FortiClient (Linux) does not support this feature.

Prerequisites

The following lists the prerequisites that must be met for FortiClient, EMS, and the FortiGate.

FortiClient

FortiClient must be installed on the endpoint and connected to EMS as part of a Security Fabric.

EMS
  1. You must create a profile for the endpoint. See Creating a profile to configure FortiClient.
  2. You must create and configure an endpoint policy that is configured with the desired profile and Telemetry gateway list for the desired endpoint group. See Adding an endpoint policy.
  3. Enable Remote HTTPS access. See Configuring EMS settings.
FortiGate

Before automation can be triggered, you must configure the following:

  1. Configure an automation trigger.
  2. Configure an automation object.
  3. Configure an automation stitch.
  4. Configure EMS endpoint control.
To create an automation trigger, enter the following commands in the CLI:

config system automation-trigger

edit "trigger01"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

To create an automation action, enter the following commands in the CLI:

config system automation-action

edit "action01"

set action-type quarantine-forticlient

set minimum-interval 0

next

end

To create an automation stitch, enter the following commands in the CLI:

config system automation-stitch

edit "stitch01"

set status enable

set trigger "trigger01"

set action "action01"

next

end

To create an EMS firewall address object, enter the following commands in the CLI:

This step is only necessary when using a version of FortiOS prior to 6.2.0.

config firewall address

edit "EMS01"

set type ipmask

set subnet <EMS_IP_address> 255.255.255.255

next

end

To configure EMS endpoint control:

There are separate instructions when using FortiOS 6.2.0 or a later version, and a version of FortiOS earlier than 6.2.0.

If using FortiOS 6.2.0 or a later version, do the following:

  1. Go to Security Fabric > Settings.
  2. Enable FortiClient Endpoint Management System (EMS).
  3. In the Name field, enter the desired EMS name.
  4. In the IP/Domain Name field, enter the EMS IP address or FQDN.
  5. In the Serial Number field, enter the EMS serial number. You can find this in the System Information widget on the EMS dashboard.
  6. In the Admin User field, enter the EMS admin username.
  7. In the Password field, enter the admin user's password.
  8. Click Apply.

If using a FortiOS version earlier than 6.2.0, enter the following commands in the CLI. In the following commands, <EMS_SERIAL_NUMBER> is the EMS serial number, <EMS_ADMIN> is the EMS administrator name, and <PASSWORD> is the EMS administrator's password:

config endpoint-control forticlient-ems

edit "e01"

set address "EMS01"

set serial-number <EMS_SERIAL_NUMBER>

set rest-api-auth userpass

set https-port 443

set admin-username <EMS_ADMIN>

set admin-password <PASSWORD>

set admin-type Windows

next

end

Executing automation

Once prerequisites are met, you can trigger the automation process. The following procedure triggers the quarantine action on the endpoint at <endpoint_ip_address>:

diag endpoint forticlient-ems-rest-api queue-quarantine-ipv4 <endpoint_ip_address>

After this action, EMS and FortiOS both display that the endpoint is quarantined.